Accuvant LABS Releases Pwn2Own-Winning Java Exploit Details

Denver – May 21, 2013 – Accuvant LABS, the largest and most elite army of technical security professionals in the world, today released the details of a Java exploit that enabled Accuvant research practice manager Joshua J. Drake to win CanSecWest’s Pwn2Own 2013. During the competition, Drake circumvented address space layout randomization (ASLR) and data execution prevention (DEP) to take control of a fully patched Windows OS within 15 seconds.

Accuvant LABS’ exploit code, as well as a white paper containing detailed information about the vulnerabilities, primitives and exploitation techniques, is available for download on the Accuvant website.

“Profit-motivated criminals continue to increase their usage of web browser exploitation and vulnerable plug-in technology to steal important enterprise-level data and cause damage in various ways,” said Jon Miller, vice president of research and development for Accuvant.  “Joshua’s Java exploit exemplifies the type of information security research our dedicated team of experts conducts on a daily basis – we’re finding practical answers to the biggest market problems so that we can help protect organizations from existing and emerging threats.”

Uses for this latest Accuvant LABS Java exploit:

Organizations can:

  • Verify patches are properly applied
  • Confirm Java applets and classes of this type of attack are blocked
  • Test firewalls and anti-virus for protection

Penetration testing teams can:

  • Determine whether or not organizations are vulnerable

Accuvant’s practical information security research is the backbone for all of its services and solutions. The company’s enterprise security assessments deliver a comprehensive analysis of an organization’s information and data security from the perspective of would-be attackers with and without privileged access to the facility or environment. The service focuses on the technical vulnerabilities within an environment as well as the logical, procedural and strategic goals of the organization.

Oracle, the maker of Java, and the Zero Day Initiatives (ZDI), the Pwn2Own contest sponsor, have both released their public advisories for these issues. In addition, Oracle has taken steps to reduce the attack surface of JRE 7 in Update 11.

About Accuvant
Accuvant is the Authoritative Source for information security. Since 2002, the company has served more than 5,200 clients, including half of the Fortune 100 and more than 900 educational institutions and government entities. Headquartered in Denver, Accuvant has offices across the United States and Canada and boasts the largest and most elite army of technical security professionals in the world – Accuvant LABS. For more information, please visit

# # #